Edgewall Software

Changes between Version 63 and Version 64 of TracFineGrainedPermissions


Ignore:
Timestamp:
Mar 18, 2017, 6:21:38 PM (3 years ago)
Author:
Ryan J Ollos
Comment:

Minor edits.

Legend:

Unmodified
Added
Removed
Modified
  • TracFineGrainedPermissions

    v63 v64  
    33[[TracGuideToc]]
    44
    5 There is a general mechanism in place that allows custom **permission policy plugins** to grant or deny any action on any kind of Trac resource, even at the level of specific versions of such resources.
     5There is a general mechanism in place that allows custom **permission policies** to grant or deny any action on any Trac resource, or even specific versions of a resource.
    66
    77That mechanism is `authz_policy`, which is an optional module in `tracopt.perm.authz_policy.*`, so it is installed by default. It can be activated via the //Plugins// panel in the Trac administration module.
     
    1111A great diversity of permission policies can be implemented and Trac comes with a few examples.
    1212
    13 Which policies are currently active is determined by a configuration setting in TracIni:
     13The active policies are determined by a [TracIni#trac-permission_policies-option configuration setting]:
    1414
    1515{{{#!ini
     
    1717permission_policies = ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
    1818}}}
    19 This lists the [#ReadonlyWikiPolicy] which controls readonly access to wiki pages, followed by the !DefaultPermissionPolicy which checks for the traditional coarse grained style permissions described in TracPermissions, and the !LegacyAttachmentPolicy which knows how to use the coarse grained permissions for checking the permissions available on attachments.
     19
     20* [#ReadonlyWikiPolicy] controls readonly access to wiki pages.
     21* !DefaultPermissionPolicy checks for the traditional coarse-grained permissions described in TracPermissions.
     22* !LegacyAttachmentPolicy uses the coarse-grained permissions to check permissions on attachments.
    2023
    2124Among the optional choices, there is [#AuthzPolicy], a very generic permission policy, based on an Authz-style system. See
    22 [trac:source:branches/1.0-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
    23 
    24 Another popular permission policy [#AuthzSourcePolicy], re-implements the pre-0.12 support for checking fine-grained permissions limited to Subversion repositories in terms of the new system.
    25 
    26 See also [trac:source:branches/1.0-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.
     25[trac:source:branches/1.2-stable/tracopt/perm/authz_policy.py authz_policy.py] for details.
     26
     27Another permission policy [#AuthzSourcePolicy], uses the [http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html path-based authorization] defined by Subversion to enforce permissions on the version control system.
     28
     29See also [trac:source:branches/1.2-stable/sample-plugins/permissions sample-plugins/permissions] for more examples.
    2730
    2831=== !AuthzPolicy ===
    2932==== Configuration ====
    30 * Put a [http://swapoff.org/files/authzpolicy.conf authzpolicy.conf] file somewhere, preferably on a secured location on the server, not readable for others than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
     33* Put a [http://swapoff.org/files/authzpolicy.conf conf] file in a secure location on the server, not readable by users other than the webuser. If the  file contains non-ASCII characters, the UTF-8 encoding should be used.
    3134* Update your `trac.ini`:
    3235  1. modify the [TracIni#trac-section permission_policies] entry in the `[trac]` section:
    3336{{{#!ini
    3437[trac]
    35 ...
    3638permission_policies = AuthzPolicy, ReadonlyWikiPolicy, DefaultPermissionPolicy, LegacyAttachmentPolicy
    3739}}}
    38   1. add a new `[authz_policy]` section:
     40  1. add a new `[authz_policy]` section and point the `authz_file` option to the conf file:
    3941{{{#!ini
    4042[authz_policy]